Monday, March 26, 2007 7:18 PM sandi

What the hell does it take to get AOL to clean up their advertising network?

This is simply not good enough.

MSN / Microsoft acted fast when *their* advertising network was infiltrated.  AOL, it seems, are either incapable or unwilling to do anything to protect their readers.

The following was captured only minutes ago.  This has been going on for days now, yet AOL remains unresponsive, leaving how many millions of users at direct risk of winfixer infection.  I am going to use every means at my disposal, pull every string, take advantage of every relationship, to try and convince AOL to act. 

If AOL will only act under a barrage of negative press, then so be it.  Reality is that MS/MSN reacted, and reacted fast, when their network was infiltrated.  I won't share exactly what MSN/MS did, but I will say that they took extremely strong steps to neutralise the risk to their users - steps that proved to me beyond a shadow of a doubt that MS and MSN were putting the safety of their users before everything else - steps that AOL seem to be unwilling or unable to take.

  Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = TCP, Packet ID = 3956, Total IP Length = 932
+ Tcp: Flags=...PA..., SrcPort=49263, DstPort=HTTP Alternate(8080), Len=892, Seq=4159520276 - 4159521168, Ack=3989674427, Win=4380 (scale factor 2) = 17520
- HTTP: Request, GET http://www.errorsafe.com/pages/scanner/index.php
    Command: GET
  + URI: http://www.errorsafe.com/pages/scanner/index.php?aid=oflikely&lid=728&ax=1&ex=1&ed=2
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353d/3/0/%252a/r%253B9113928
    ContentType:  application/x-www-form-urlencoded
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  www.errorsafe.com
    Proxy-Connection:  Keep-Alive
    Cookie:  lang=en; aid=oflikely; lid=728; cnt=AU; lng=en
    HeaderEnd: CRLF

  Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = TCP, Packet ID = 3957, Total IP Length = 845
+ Tcp: Flags=...PA..., SrcPort=49263, DstPort=HTTP Alternate(8080), Len=805, Seq=4159521168 - 4159521973, Ack=3989675429, Win=4129 (scale factor 2) = 16516
- HTTP: Request, GET http://adfarm.mediaplex.com/ad/ck/50866
    Command: GET
  + URI: http://adfarm.mediaplex.com/ad/ck/50866?mpt=[CACHEBUSTER]&aid=oflikely_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353d/3/0/%252a/r%253B9113928
    Cookie:  svid=7106602301
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  adfarm.mediaplex.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF

  Frame:
+ Ethernet: Etype = Internet IP (IPv4)
+ Ipv4: Next Protocol = TCP, Packet ID = 3960, Total IP Length = 936
+ Tcp: Flags=...PA..., SrcPort=49263, DstPort=HTTP Alternate(8080), Len=896, Seq=4159521973 - 4159522869, Ack=3989675758, Win=4047 (scale factor 2) = 16188
- HTTP: Request, GET http://www.systemdoctor.com/download/2006/
    Command: GET
  + URI: http://www.systemdoctor.com/download/2006/?p=10&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=oflikely_rdt
    ProtocolVersion: HTTP/1.1
    Accept:  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x
    Accept-Language:  en-US
    Referer:  http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf?clickTag=http%3A//twx.doubleclick.net/click%253Bh%3Dv8/353d/3/0/%252a/r%253B9113928
    Cookie:  cnt=AU; lng=en; aid=oflikely_rdt_ed2_au_en; lid=keyin; affid=pp_5608015641; lang=en
    UA-CPU:  x86
    Accept-Encoding:  gzip, deflate
    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2)
    Host:  www.systemdoctor.com
    Proxy-Connection:  Keep-Alive
    HeaderEnd: CRLF

Comments

# Des spywares chez AOL

Monday, March 26, 2007 2:56 PM by Jean-Marc, XP Geek !

Cela fait maintenant une bonne semaine (voire plus) que Sandi sonne le tocsin sur le net et chez AOL.

# Des spywares chez AOL

Monday, March 26, 2007 2:58 PM by Jean-Marc, XP Geek !

Cela fait maintenant une bonne semaine (voire plus) que Sandi (MVP Internet Explorer) sonne le tocsin

# re: What the hell does it take to get AOL to clean up their advertising network?

Monday, March 26, 2007 4:37 PM by Joseph

Sandi,

If you know how to get in touch with AOL, please let me know, I'll do my best to cooperate.

# re: What the hell does it take to get AOL to clean up their advertising network?

Monday, March 26, 2007 7:43 PM by Johnincal

Sandi has it correct. Just like many of the non-responsive companies that are loosing market share, such as AOL and Yahoo, their decision to escalate an issue is totally dependent on sheer percentage of numbers.

It has been my experience with Yahoo that their Help Center's main job is not to admit any fault (at all costs) and not to investigate or escalate. But, I have to admit, they do a great job of getting back to you in a timely manner, even if it is a useless response.

AOL, on the other hand, does everything it can to make it hard for a user to contact them. If you go to AOL's "Help" site, you will find that their "contact" link does not work (javascript error). And if you go through the maze of support options and finally get to the email "contact" link there, it just redirects you back to where you first started.

Live help is only reserved for AOL Members.

The bottom line... These companies "help" is no help.

And they sit in their offices making millions of dollars a year in salary and stock options, wondering why they are loosing market share.

I can solve that. It is because if a company acts they don't care, the people they want to use their services will not either.

There, problem solved. AOL, Yahoo, Dell and all the other companies, I await your check.

# re: What the hell does it take to get AOL to clean up their advertising network?

Tuesday, March 27, 2007 12:07 PM by Mike Nolet

For the record -- the creative (http://2mdn.aolcdn.com/1413639/MS_swf_728x90_En-AOL3.swf)  is for 'Matchservice.com', which as far as I know is owned by the people behind Errorsafe, in fact it's a fake site :).

Also --  note that AOL is HOSTING this creative on their CDN (Content Delivery Network).  This means it's a deal directly with AOL, not with their ad network 'Advertising.com'.

For fun -- actionscript for the creative is here: http://www.mikeonads.com/wp-content/uploads/2007/03/matchservice.txt

It's a bit hard to tell what it's doing since they used FlashEncrypt.  In fact, 'flashencrypt' states:

"The purpose of obfuscation is not to stop Decompilers from being able to decompile code but to render the decompiled source code unreadable for the human eye. Sintrix does not find this to be a good solution to the problem by itself. Flash Encrypt not only uses Obfuscation but also attacks the Decompiler itself."

So AOL -- the answer is simple.  Decompile all flash ads, if they fail decompiling then don't run it.  If code is obfuscated, DON"T RUN IT.

Oh ... and a few months back when I first ran into 'Matchservice.com' I had a friend in the UK call the # under the registration info and got a plumbing service.  Gotta love it.

# Are Advertisers promoting Malware?

Friday, April 20, 2007 3:54 AM by Hosts News

I was going to blog about another Trojan.Codec site I found, but truthfully this is getting boring ...

# re: What the hell does it take to get AOL to clean up their advertising network?

Saturday, June 02, 2007 12:38 PM by Don French

the window for pop up prefernces is in Spanish and i need one in English how can it be changed i wish i could get to aol thru email but i can't get their address.

# re: What the hell does it take to get AOL to clean up their advertising network?

Saturday, June 02, 2007 12:38 PM by Don French

the window for pop up prefernces is in Spanish and i need one in English how can it be changed i wish i could get to aol thru email but i can't get their address.

Leave a Comment

(required) 
(required) 
(optional)
(required)